Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show all data of one field?

userQ
Loves-to-Learn
‎11-22-2022 02:31 AM

Hello, I put them in context before showing the query.

I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data.

I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.

 

I have 2 queries.

The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be).

|makeresults
| eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code
| mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code

 

I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName.

How can I do to show all ComputerName with these same filters?

index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27)
| eval day_of_week = lower(strftime(_time, "%A"))
| eval date_string = strftime(_time, "%Y-%m-%d")
| eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null())
| search Weekend=1
| stats count by Message EventCode ComputerName date_string
| stats list(Message) by ComputerName date_string EventCode

It may simply not be possible to list all the computer names without listing them one by one.

Thanks.

Labels (1)
Labels
0 Karma
Reply

userQ
Loves-to-Learn
‎11-22-2022 04:42 AM

Hi, sorry if I didn't explain myself well.
I would like to get all the hostnames instead of just naming those two, for example: hostname=*

Referencing the * as all the hostnames there are.

I know the * doesn't work in splunk like in programming languages, it only worked with index=* but not inside the query with the data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2022 05:36 AM

Why do you think * only works for index?

By not restricting the hostname i.e. not using a filter, you will be getting events for all hostnames. This is almost the same as hostname=* except that hostname=* will ensure hostname is not null.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2022 03:54 AM

I am not sure what you are asking for - all the computer names are listed by the stats call. Do you just want the computer names?

| stats values(ComputerName) as ComputerName
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...